Security Lapse Exposed New York Airport's Critical Servers For a Year (zdnet.com) 45
An anonymous reader quotes a report from ZDNet: A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found. The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents. Since April last year, the airport had been inadvertently leaking its own highly-sensitive files as a result of the drive's misconfiguration. Vickery, who also posted an analysis of his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist. When contacted Thursday, the contractor dismissed the claims and would not comment further. Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured. The files contained eleven disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database. Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.
Re: (Score:2)
specialist should be removed from this bonehead's reference...
Or quoted:
Installed by a contract third-party IT "specialist"
Re: (Score:2)
This is short for "My cousin Vinnie's 13 year old son. He's a whiz at these things"
Re: (Score:3)
This is short for "My cousin Vinnie's 13 year old son. He's a whiz at these things"
Barron is really good at the cyber
Re:installed by a contract third-party IT speciali (Score:4, Insightful)
As an independent IT specialist myself, you can't believe the boneheaded clients that will either demand an uncomplicated "no password" policy, fail to follow directions or too cheap to update or go in and make these type of setting themselves after the fact.
Could easily be that the IT contractor set it up for a particular IP range and then the customer wanted to do something from home or allow remote workers, saw the bill and said "removing this line makes it work", became the office IT fixer and then at their next employee review "I saved the company $15000/year in consulting cost".
There are plenty of idiots in IT, but the cheap-skate know-it-all customers are way worse. I think computers and "IoT" devices should go back to defaulting to a command prompt only accessible by serial cable or local terminal and bring nothing online unless explicitly configured.
Re: (Score:2)
I can believe it was the client's idea. As an IT guy, I would have walked away, after explaining that I wasn't going to be party to people too cheap or too stupid to do their job correctly, and risk the safety of everyone that uses that airport.
Re: (Score:3)
No.
As an IT guy myself, I would have (and did -- now retired) talked to anyone who would listen, including managing partners, and insisted on implementing best practices.
Then I would send an email to the whomevers and let them reject my recommendations for the record.
Business makes the final call. but I always covered my ass and had evidence that installations were to their specs, despite having been warned.
If the install was something they'd never actually have to manage, I'd change the admin password to
Re: (Score:3)
I used to do the same. I don't any more. After being thrown under the bus for doing EXACTLY what the customer said, against my recommendations(documented no less), no thank you.
WHICH happens to be a great way to make your point even stronger. Telling a customer "no, I won't" gets them to think, perhaps a little. I've had a couple people ask me why I won't, and basically say, "When the shit hits the fan, I don't want to be involved, don't want to clean the mess up, and don't want to take the fall for anyone
Re: (Score:2)
"Good IT is expensive, bad IT is costly".
I like it.
Re: (Score:1)
Re: (Score:2)
It's an accumulation of "little things" that some bozo decides he can do himself resulting in initial savings until the shit hits the fan.
I've gone to plenty of customer sites (I'd say 75% of them) where routers and switches, backup drives and even servers appear all on their own. "Oh yeah we bought that to do x" and often I unplug it and have to tell them "well this is your problem" "but it worked for a couple of weeks" "and then you had a power outage and now there are 2 different DHCP ranges on your netw
Re: (Score:1)
Re: (Score:2)
The $15,000 in "cumulative savings" I referred to will probably cost more in the long term. In the router case, the issue did cost them more in the end. I had to bill them for an unscheduled emergency call, troubleshoot what was going wrong, then I had to take out the $50 router and walk around and reboot every terminal. In this instance, they did save the $250 initially quoted ($200 if you count the $50 they gave the bartender's nephew) but ended up paying $400 and the money spent prior was also wasted (be
Open internet? Why? (Score:2)
What is up with companies putting every machine they have on an open internet connection?
Once there used to be well considered decisions on what bits of the corporate infrastructure needed to be exposed at all.
Do they now hire just anybody who knows how to type a password by himself, and say "go for it! set up our security!".
Re: (Score:2)
My nephew is about to graduate from high school, and he's real interested in computer security... I think he's well qualified for that job of yours... don-cha-know?
Re: (Score:1)
Do they now hire just anybody who knows how to type a password by himself, and say "go for it! set up our security!".
This is what you get when a company views IT as strictly an expense that should be minimized, not an asset that keeps your shit working and secure.
"a Buffalo-branded drive" (Score:3)
Re: (Score:2)
Hanlon's Razor
Never attribute to malice that which can be explained by incompetence.
Re: (Score:1)
*Barely* an airport (Score:1)
Stewart is a relatively small airport They handle a relatively small number of commercial flights in a day. A minor number are international. It qualifies as an international airport by virtue of having customs and handling a few international flights, but at least this somewhere like Newark Liberty or JFK, it's an airport way out in the country in Orange County, an hour from NYC. Making a mistake like this at an airport this size, while in excusable, is not a shock.
Re: (Score:2)
And courtesy of the Bureau of Transportation, as of November 2016 they have only *eight* scheduled flights per day in *total* to any de
Re: (Score:2)
Stewart = ConAir departure point (Score:2, Informative)
I've been flown out of Stewart a couple of times. It's the departure point for New York area Federal prisoners bound for FTC Oklahoma City and other points. The US Marshals drive buses and vans from all over the area (MDC Brooklyn, MCC Manhattan, Danbury, Ft. Dix, etc.) every Tuesday and Thursday afternoon to Stewart to meet a white, unmarked JPATS jet (737 or MD-80). Prisoners are usually in paper jumpsuits, shackled ankles, wrists, and waist, and are patted down on the apron next to the jet.
Transfer ta
Really? (Score:2)